Entry Comments

deekoo
0x7D1 October 0x19:
Suspicions.
What smells suspiciously like a government front is probing on the telephones, trying to collect biological data. Did someone launch a second biological attack on San Francisco? (What? Second? You didn't know about the first one?)

Suspicions.
Prince Shrub's approval ratings are sky-high, at least among the anomalous subset of the populace who respond to polls voluntarily.

Suspicions.
The Internet got Really Really Slow after the attacks. Maybe it's just Ghost ISP Syndrome. Somebodyorother spewed an Official Explanation involving nimda probes. A fairly implausible explanation, as I haven't noticed any sharp changes in Odd Traffic to Yarm over the past two months. In fact, if anything, the amount of port 80 probes I get has gone DOWN since the attacks (fairly gradually, though. Probably a sign that some enterprising script kiddie rooted all the Code Red-infested machines. Omnivores, now, that's plausible. Nimda? Unlikely.

Probes, Distillate:
What I get seems to be dominated by: port 80 - IIS exploit worms.
Port 53: a zillion simultaneous DNS queries, purportedly from different IPs, over a few seconds to a minute. Probably something looking for vulnerable binds with spoofed sources in an effort to hide the real origin.
Port 1214: Kazaa. Which, according to its site, 'is built on standardised p2p technology from FastTrack. Already other networks are using the FastTrack p2p technology.'. FastTrack's page describes it as 'FastTrack is a Peer-to-Peer technology company. FastTrack conceives and creates next generation scalable peer-to-peer networks all based on one core network stack.'. Scarily, the first KaZaA poke of the night is from an AOLer, sharing an assortment of hymns, national-anthem type stuff, and treacley pop... Now, one might assume from this corpspeak that KaZaA (Yes, they spell it that way. *sigh*.) is a new protocol, only accessible using their software. One who makes said assumption knows bugger-all about corpspeak - while I haven't mucked about with their own client (the source isn't available. And I doubt that the Don't Reverse-Engineer This clause in the license will keep the crackers from exploiting anything that can be done with the strcpy, sprintf, and strcat calls...), the part of their protocol that their machines keep trying to talk to mine is Plain Old HTTP. Kazaa, unlike the websites of certain brain-dead governments who went for a Microsoft "Solution", works Just Fine with Lynx.
Port 111. An RPC worm that afflicts Linux, I think. Fairly infrequent.
And random ICMP crap whose numbers I don't remember.

{ Add Comment }